As used herein, “malicious computer code” is any computer code that enters a computer without an authorized user's knowledge and/or without an authorized user's consent. The malicious code typically performs malicious actions after it arrives on the user's computer. Malicious computer code that propagates from one computer to another over a network, e.g., via e-mail, is often referred to as a “worm” or “spam”. A worm is self-propagating, e.g., after it enters a user's computer, it may spread to other computers by attaching itself to e-mails that are sent to addresses found in the first computer's address book. Spam, on the other hand, is unwanted e-mail received by a computer that does not self-propagate.
Various techniques have been proposed to protect computers against e-mail worms or spam. For example, one such system alerts a network administrator when a certain number of identical e-mails are detected. However, this system does not afford any proactive protection. It is merely an alerting scheme, leaving it up to the administrator to take appropriate action upon receiving the alert. In many cases, by the time the administrator does take action, the e-mail worm has already entered into the computer network, and any actions the administrator could take are merely reactions, such as manually blocking suspicious e-mail traffic and cleaning up the worm infection.
The present invention advances the state of the art in providing proactive protection against e-mail worms and spam.